Update PeekingPeerConnector to use PeerOptions API

.. for SSL_set_options() call.

Allowing parsedOptions to be private within PeerOptions
which is needed to safely delay its value being set until
after squid.conf line is fully parsed.

diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index 627e5c43ee99c6d4b9b3604207761a98d813d38a..a2ec2a46946f7570188501be2fba22c8712a1fe0 100644 (file)
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -598,7 +598,7 @@ Security::PeerOptions::updateContextOptions(Security::ContextPointer &ctx) const
 #if USE_OPENSSL
     SSL_CTX_set_options(ctx.get(), parsedOptions);
 #elif USE_GNUTLS
-    // NP: GnuTLS uses 'priorities' which are set per-session instead.
+    // NP: GnuTLS uses 'priorities' which are set only per-session instead.
 #endif
 }
 
@@ -726,7 +726,9 @@ void
 Security::PeerOptions::updateSessionOptions(Security::SessionPointer &s)
 {
 #if USE_OPENSSL
-    // 'options=' value being set to session is a GnuTLS specific thing.
+    // XXX: Options already set before (via the context) are not cleared!
+    SSL_set_options(s.get(), parsedOptions);
+
 #elif USE_GNUTLS
     int x;
     SBuf errMsg;

diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h
index 43da1afec187fd9ef5c7949c620f64709cb314a2..349081c1214e7da84a9d0f992497ccacc9ee8806 100644 (file)
--- a/src/security/PeerOptions.h
+++ b/src/security/PeerOptions.h
@@ -82,7 +82,9 @@ public:
 
     SBuf tlsMinVersion;  ///< version label for minimum TLS version to permit
 
+private:
     Security::ParsedOptions parsedOptions; ///< parsed value of sslOptions
+public:
     long parsedFlags = 0;   ///< parsed value of sslFlags
 
     std::list<Security::KeyData> certs; ///< details from the cert= and file= config parameters

diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc
index 8531398e539391abea3f90fb341de5f9b17b2213..1a6f996c3da6d29e451f3ffdf2ea2a57caf20239 100644 (file)
--- a/src/ssl/PeekingPeerConnector.cc
+++ b/src/ssl/PeekingPeerConnector.cc
@@ -185,7 +185,7 @@ Ssl::PeekingPeerConnector::initialize(Security::SessionPointer &serverSession)
             srvBio->mode(csd->sslBumpMode);
         } else {
             // Set client SSL options
-            SSL_set_options(serverSession.get(), ::Security::ProxyOutgoingConfig.parsedOptions);
+            ::Security::ProxyOutgoingConfig.updateSessionOptions(serverSession);
 
             const bool redirected = request->flags.redirected && ::Config.onoff.redir_rewrites_host;
             const char *sniServer = (!hostName || redirected) ?